windows-kernel-security

Original：🇺🇸 English

Translated

Guide for Windows kernel security research including driver development, system callbacks, security features, and kernel exploitation. Use this skill when working with Windows drivers, PatchGuard, DSE, or kernel-level security mechanisms.

2installs

Sourcegmh5225/awesome-game-security

Added on2026-02-04

NPX Install

npx skill4agent add gmh5225/awesome-game-security windows-kernel-security

SKILL.md Content

View Translation Comparison →

Windows Kernel Security

Overview

This skill covers Windows kernel security topics from the awesome-game-security collection, including driver development, system callbacks, security feature bypasses, and kernel-mode exploitation.

Core Kernel Concepts

Important Structures

EPROCESS / ETHREAD
PEB / TEB
DRIVER_OBJECT
DEVICE_OBJECT
IRP (I/O Request Packet)

Key Tables

SSDT (System Service Descriptor Table)
IDT (Interrupt Descriptor Table)
GDT (Global Descriptor Table)
PspCidTable (Process/Thread handle table)

Security Features

PatchGuard (Kernel Patch Protection)

- Protects critical kernel structures
- Periodic verification checks
- BSOD on tampering detection
- Multiple trigger mechanisms

Driver Signature Enforcement (DSE)

- Requires signed drivers
- CI.dll verification
- Test signing mode
- WHQL certification

Hypervisor Code Integrity (HVCI)

- VBS-based protection
- Kernel code integrity
- Driver compatibility requirements
- Memory restrictions

Secure Boot

- UEFI-based boot verification
- Boot loader chain validation
- Kernel signature checks
- DBX (forbidden signatures)

Kernel Callbacks

Process Callbacks

cpp

PsSetCreateProcessNotifyRoutine
PsSetCreateProcessNotifyRoutineEx
PsSetCreateProcessNotifyRoutineEx2

Thread Callbacks

cpp

PsSetCreateThreadNotifyRoutine
PsSetCreateThreadNotifyRoutineEx

Image Load Callbacks

cpp

PsSetLoadImageNotifyRoutine
PsSetLoadImageNotifyRoutineEx

Object Callbacks

cpp

ObRegisterCallbacks
// OB_OPERATION_HANDLE_CREATE
// OB_OPERATION_HANDLE_DUPLICATE

Registry Callbacks

cpp

CmRegisterCallback
CmRegisterCallbackEx

Minifilter Callbacks

cpp

FltRegisterFilter
// IRP_MJ_CREATE, IRP_MJ_READ, etc.

Driver Development

Basic Structure

cpp

NTSTATUS DriverEntry(
    PDRIVER_OBJECT DriverObject,
    PUNICODE_STRING RegistryPath
) {
    DriverObject->DriverUnload = DriverUnload;
    DriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
    DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;
    // Create device, symbolic link...
    return STATUS_SUCCESS;
}

Communication Methods

IOCTL (DeviceIoControl)
Direct I/O
Buffered I/O
Shared memory

Vulnerable Driver Exploitation

Common Vulnerability Types

Arbitrary read/write primitives
IOCTL handler vulnerabilities
Pool overflow
Use-after-free

Notable Vulnerable Drivers

- gdrv.sys (Gigabyte)
- iqvw64e.sys (Intel)
- MsIo64.sys
- Mhyprot2.sys (Genshin Impact)
- dbutil_2_3.sys (Dell)
- RTCore64.sys (MSI)
- Capcom.sys

Exploitation Steps

Load vulnerable signed driver
Trigger vulnerability
Achieve kernel read/write
Disable DSE or load unsigned driver
Execute arbitrary kernel code

PatchGuard Bypass Techniques

Timing-Based

Predict PG timer
Modify between checks

Context Manipulation

Exception handling
DPC manipulation
Thread context tampering

Hypervisor-Based

EPT manipulation
Memory virtualization
Intercept PG checks

Kernel Hooking

ETW (Event Tracing for Windows)

- InfinityHook technique
- HalPrivateDispatchTable
- System call tracing

SSDT Hooking (Legacy)

- Modify service table entries
- Requires PG bypass
- High detection risk

IRP Hooking

- Hook driver dispatch routines
- Less monitored than SSDT
- Per-driver targeting

Memory Manipulation

Physical Memory Access

cpp

MmMapIoSpace
MmCopyMemory
\\Device\\PhysicalMemory

Virtual Memory

cpp

ZwReadVirtualMemory
ZwWriteVirtualMemory
KeStackAttachProcess
MmCopyVirtualMemory

MDL Operations

cpp

IoAllocateMdl
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache

Research Tools

Analysis

WinDbg / WinDbg Preview
Process Hacker / System Informer
OpenArk
WinArk

Utilities

KDU (Kernel Driver Utility)
OSR Driver Loader
DriverView

Monitoring

Process Monitor
API Monitor
ETW consumers

EFI/UEFI Integration

Boot-Time Access

- EFI runtime services
- Boot driver loading
- Pre-OS execution

Memory Access

- GetVariable/SetVariable
- Runtime memory mapping
- Physical memory access

Hypervisor Development

Intel VT-x

VMCS configuration
EPT (Extended Page Tables)
VM exits handling

AMD-V

VMCB structure
NPT (Nested Page Tables)
SVM operations

Use Cases

Memory hiding
Syscall interception
Security monitoring
Anti-cheat evasion

Resource Organization

The README contains categorized links for:

PatchGuard research and bypasses
DSE bypass techniques
Vulnerable driver exploits
Kernel callback enumeration
ETW/PMI/NMI handlers
Intel PT integration

Data Source

Important: This skill provides conceptual guidance and overview information. For detailed information including:

Specific GitHub repository links
Complete project lists with descriptions
Up-to-date tools and resources
Code examples and implementations

Please fetch the complete data from the main repository:

https://raw.githubusercontent.com/gmh5225/awesome-game-security/refs/heads/main/README.md

The main README contains thousands of curated links organized by category. When users ask for specific tools, projects, or implementations, retrieve and reference the appropriate sections from this source.